Re: [clamav-users] Signature not detected
On Mon, July 17, 2017 10:22 pm, Alex wrote: > Hi guys, just submitted an "ace" archive with a .cmd inside. > > > # sha1sum PROFORMA\ INVOICE_xls.ace > 97757622d5d568b01faa9d662818eebd40b1e0c0 PROFORMA INVOICE_xls.ace > Hi, I've added Sanesecurity.Malware.27099.AceHeur.Cmd to the detections... > We've now disabled "ace" files (who even knew they existed?) I used to use .ace a lg time ago... but for those that don't know... " ACE is a proprietary data compression archive file format developed by Marcel Lemke, and later bought by e-merge GmbH. The peak of its popularity was 1999–2001, when it provided slightly better compression rates than RAR, which has since become more popular." Source: https://en.wikipedia.org/wiki/ACE_(compression_file_format) Also, a few .ace files that have come through... aren't really ace files but renamed rar files... in this case though it's an ace file. -- Cheers, Steve Twitter: @sanesecurity ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] scanning mp3-files with clamscan
True MP3 files contain sounds that a media player plays. Anything executable can't be handled by the player and the worst thing that might happen would involve crashing the player, if that's even possible. Most, if not all scanners ignore such files. They take a long time to scan with a high probability of zero results. The only example I can locate that comes close to maliciousness would is one that contacts an Internet site capable of downloading actual malware. Such a site would not last long and the actual malware will likely be found before the download completes. Feel free to locate or better yet submit a sample of anything else and you stand a chance of convincing someone that it would be worthy of changing the policy. Sent from Janet's iPad -Al- -- Al Varnell Mountain View, CA ClamXAV User On Jul 17, 2017, at 8:45 PM, Paul Kosinski wrote: > Are MP3 files ignored because it is impossible that MP3 software ever > has buffer overflows or other security flaws??? > > Or is it because MP3 files are compressed (i.e., random-looking) and > thus may cause false positives? What about all the other compressed or > encrypted file types which might do the same? > > In other words, I don't understand why they all would be ignored. > > On Mon, 17 Jul 2017 17:22:52 -0400, Steven Morgan wrote: >> Rosika, >> >> The reason the MP3 file is not scanned is because the file type >> signatures for MP3 direct that they are ignored. Particularly: >> >> "0:0:494433:MP3:CL_TYPE_ANY:CL_TYPE_IGNORED" >> and >> "0:0:fffb90:MP3:CL_TYPE_ANY:CL_TYPE_IGNORED" >> >> These definitions are in the daily.ftm file of the ClamAV virus >> database. >> >> Steve >> >> On Sun, Jul 9, 2017 at 10:04 AM, Christian wrote: >>> Hi, >>> >>> I want to scan an mp3-file (about 60 MB in size). >>> My command is: >>> >>> clamscan >>> /home/rosika/Schreibtisch/Dokumente/Hörspiele/Sherlock_Holmes/hörspiel.mp3 >>> >>> Yet I get the message: "Data scanned: 0.00 MB" >>> First I thought that the file was too large, so I used a new >>> command: >>> >>> clamscan --max-filesize=300M --max-scansize=300M >>> /home/rosika/Schreibtisch/Dokumente/Hörspiele/Sherlock_Holmes/hörspiel.mp3 >>> >>> But this didn´t work either. >>> In the meantime I think that´s due to the nature of the respective >>> file. The file being mp3. >>> Could this be the case? >>> >>> I also tried: >>> >>> dd >>> if=/home/rosika/Schreibtisch/Dokumente/Hörspiele/Sherlock_ >>> Holmes/hörspiel.mp3 >>> | clamscan - >>> >>> Output: >>> >>> 126592+1 Datensätze ein >>> 126592+1 Datensätze aus >>> 64815503 bytes (65 MB, 62 MiB) copied, 10,9642 s, 5,9 MB/s >>> stdin: OK >>> >>> --- SCAN SUMMARY --- >>> Known viruses: 6299938 >>> Engine version: 0.99.2 >>> Scanned directories: 0 >>> Scanned files: 1 >>> Infected files: 0 >>> Data scanned: 0.00 MB >>> Data read: 61.81 MB (ratio 0.00:1) >>> Time: 11.596 sec (0 m 11 s) >>> >>> Is there any way of scanning mp3-files with clamscan? >>> >>> Greetings. >>> Rosika ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] scanning mp3-files with clamscan
Are MP3 files ignored because it is impossible that MP3 software ever has buffer overflows or other security flaws??? Or is it because MP3 files are compressed (i.e., random-looking) and thus may cause false positives? What about all the other compressed or encrypted file types which might do the same? In other words, I don't understand why they all would be ignored. On Mon, 17 Jul 2017 17:22:52 -0400 Steven Morgan wrote: > Rosika, > > The reason the MP3 file is not scanned is because the file type > signatures for MP3 direct that they are ignored. Particularly: > > "0:0:494433:MP3:CL_TYPE_ANY:CL_TYPE_IGNORED" > and > "0:0:fffb90:MP3:CL_TYPE_ANY:CL_TYPE_IGNORED" > > These definitions are in the daily.ftm file of the ClamAV virus > database. > > Steve > > > On Sun, Jul 9, 2017 at 10:04 AM, Christian > wrote: > > > Hi, > > > > I want to scan an mp3-file (about 60 MB in size). > > My command is: > > > > clamscan > > /home/rosika/Schreibtisch/Dokumente/Hörspiele/Sherlock_Holmes/hörspiel.mp3 > > > > Yet I get the message: "Data scanned: 0.00 MB" > > First I thought that the file was too large, so I used a new > > command: > > > > clamscan --max-filesize=300M --max-scansize=300M > > /home/rosika/Schreibtisch/Dokumente/Hörspiele/Sherlock_Holmes/hörspiel.mp3 > > > > But this didn´t work either. > > In the meantime I think that´s due to the nature of the respective > > file. The file being mp3. > > Could this be the case? > > > > I also tried: > > > > dd > > if=/home/rosika/Schreibtisch/Dokumente/Hörspiele/Sherlock_ > > Holmes/hörspiel.mp3 > > | clamscan - > > > > Output: > > > > 126592+1 Datensätze ein > > 126592+1 Datensätze aus > > 64815503 bytes (65 MB, 62 MiB) copied, 10,9642 s, 5,9 MB/s > > stdin: OK > > > > --- SCAN SUMMARY --- > > Known viruses: 6299938 > > Engine version: 0.99.2 > > Scanned directories: 0 > > Scanned files: 1 > > Infected files: 0 > > Data scanned: 0.00 MB > > Data read: 61.81 MB (ratio 0.00:1) > > Time: 11.596 sec (0 m 11 s) > > > > Is there any way of scanning mp3-files with clamscan? > > > > Greetings. > > Rosika > > > > > > ___ > > clamav-users mailing list > > clamav-users@lists.clamav.net > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] scanning mp3-files with clamscan
Rosika, The reason the MP3 file is not scanned is because the file type signatures for MP3 direct that they are ignored. Particularly: "0:0:494433:MP3:CL_TYPE_ANY:CL_TYPE_IGNORED" and "0:0:fffb90:MP3:CL_TYPE_ANY:CL_TYPE_IGNORED" These definitions are in the daily.ftm file of the ClamAV virus database. Steve On Sun, Jul 9, 2017 at 10:04 AM, Christian wrote: > Hi, > > I want to scan an mp3-file (about 60 MB in size). > My command is: > > clamscan > /home/rosika/Schreibtisch/Dokumente/Hörspiele/Sherlock_Holmes/hörspiel.mp3 > > Yet I get the message: "Data scanned: 0.00 MB" > First I thought that the file was too large, so I used a new command: > > clamscan --max-filesize=300M --max-scansize=300M > /home/rosika/Schreibtisch/Dokumente/Hörspiele/Sherlock_Holmes/hörspiel.mp3 > > But this didn´t work either. > In the meantime I think that´s due to the nature of the respective file. > The file being mp3. > Could this be the case? > > I also tried: > > dd > if=/home/rosika/Schreibtisch/Dokumente/Hörspiele/Sherlock_ > Holmes/hörspiel.mp3 > | clamscan - > > Output: > > 126592+1 Datensätze ein > 126592+1 Datensätze aus > 64815503 bytes (65 MB, 62 MiB) copied, 10,9642 s, 5,9 MB/s > stdin: OK > > --- SCAN SUMMARY --- > Known viruses: 6299938 > Engine version: 0.99.2 > Scanned directories: 0 > Scanned files: 1 > Infected files: 0 > Data scanned: 0.00 MB > Data read: 61.81 MB (ratio 0.00:1) > Time: 11.596 sec (0 m 11 s) > > Is there any way of scanning mp3-files with clamscan? > > Greetings. > Rosika > > > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Signature not detected
Hi guys, just submitted an "ace" archive with a .cmd inside. # sha1sum PROFORMA\ INVOICE_xls.ace 97757622d5d568b01faa9d662818eebd40b1e0c0 PROFORMA INVOICE_xls.ace We've now disabled "ace" files (who even knew they existed?) On Thu, Jul 13, 2017 at 4:36 AM, wrote: > > > 13.07.2017 05:32, Alex пишет: >> On Wed, Jul 12, 2017 at 3:02 PM, Alain Zidouemba >> wrote: >>> Signature will be going out shortly. >> >> It's now detected thanks to the amazing work by Steve from >> sanesecurity. Also appreciate your help - perhaps his sig just hits >> first. >> >> I've also just submitted another unrelated to investigate. >> >> $ sha1sum GOOGLESER.doc >> d42e71932c866f9822c800fe46cd46bdf1b5e739 GOOGLESER.doc > > f4434f22ffc51edf9641140d1b747feeab6b5a6a SCAN50784502102.DOC > >> >>> >>> On Wed, Jul 12, 2017 at 2:52 PM, Alex wrote: >>> Hi, we've received a word virus that isn't currently being detected by any scanners. I've submitted the FN, but would like to see if we can get that pushed out as soon as possible. $ sha1sum Invoice_SKMBT_20170501.doc 6cc1dd12fbc79311ebaf59e19e562ff63141f457 Invoice_SKMBT_20170501.doc It's not currently being found by any scanners: https://www.virustotal.com/en/file/5b10fb6d20649c246d970e521e4436 d70608bbb8c6d6128245d349c69a76ef10/analysis/ Also, there's some notes in the "comments" section of this post. What does it mean? How can I use that to my benefit in the future? Is there any way a postfix/amavisd/spamassassin/clamav user can benefit from this information by blocking based on that signature provided? ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml >>> ___ >>> clamav-users mailing list >>> clamav-users@lists.clamav.net >>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >>> >>> >>> Help us build a comprehensive ClamAV guide: >>> https://github.com/vrtadmin/clamav-faq >>> >>> http://www.clamav.net/contact.html#ml >> ___ >> clamav-users mailing list >> clamav-users@lists.clamav.net >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml